diff options
| author | aszlig <aszlig@nix.build> | 2019-01-04 01:49:50 +0100 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2019-01-04 01:49:50 +0100 |
| commit | 751bdacc9b726bf8e4623a7375e96563ee3614a5 (patch) | |
| tree | c01877b976832941083d508e86d52f7b37c1917d /nixos/modules/services/networking/nsd.nix | |
| parent | e753bc125f23225b1fb26ab7f4819d273bf2ed49 (diff) | |
| download | nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.gz nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.bz2 nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.lz nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.xz nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.tar.zst nixpkgs-751bdacc9b726bf8e4623a7375e96563ee3614a5.zip | |
nixos/nsd: Don't override bind via nixpkgs.config
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.
While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.
As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.
To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:
(import ./nixos {
configuration = { lib, pkgs, ... }: {
services.nsd.enable = true;
services.nsd.zones = import (pkgs.writeText "foo.nix" ''
{ "foo.".data = "xyz";
"foo.".dnssec = true;
}
'');
};
}).vm
With this change, generating zones via import-from-derivation is now
possible again.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
Diffstat (limited to 'nixos/modules/services/networking/nsd.nix')
| -rw-r--r-- | nixos/modules/services/networking/nsd.nix | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/nsd.nix b/nixos/modules/services/networking/nsd.nix index cde47bf23ea..492845eb4ec 100644 --- a/nixos/modules/services/networking/nsd.nix +++ b/nixos/modules/services/networking/nsd.nix @@ -437,6 +437,8 @@ let dnssec = length (attrNames dnssecZones) != 0; + dnssecTools = pkgs.bind.override { enablePython = true; }; + signZones = optionalString dnssec '' mkdir -p ${stateDir}/dnssec chown ${username}:${username} ${stateDir}/dnssec @@ -445,8 +447,8 @@ let ${concatStrings (mapAttrsToList signZone dnssecZones)} ''; signZone = name: zone: '' - ${pkgs.bind}/bin/dnssec-keymgr -g ${pkgs.bind}/bin/dnssec-keygen -s ${pkgs.bind}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} - ${pkgs.bind}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} + ${dnssecTools}/bin/dnssec-keymgr -g ${dnssecTools}/bin/dnssec-keygen -s ${dnssecTools}/bin/dnssec-settime -K ${stateDir}/dnssec -c ${policyFile name zone.dnssecPolicy} ${name} + ${dnssecTools}/bin/dnssec-signzone -S -K ${stateDir}/dnssec -o ${name} -O full -N date ${stateDir}/zones/${name} ${nsdPkg}/sbin/nsd-checkzone ${name} ${stateDir}/zones/${name}.signed && mv -v ${stateDir}/zones/${name}.signed ${stateDir}/zones/${name} ''; policyFile = name: policy: pkgs.writeText "${name}.policy" '' @@ -953,10 +955,6 @@ in ''; }; - nixpkgs.config = mkIf dnssec { - bind.enablePython = true; - }; - systemd.timers."nsd-dnssec" = mkIf dnssec { description = "Automatic DNSSEC key rollover"; |